问题
The SQL Injection on INSERT as described here doesn't seem to work with MySQL. SQL injection on INSERT
When I use this statement:
INSERT INTO COMMENTS VALUES('122','$_GET[value1]');
With this as the 'value1' variable value:
'); DELETE FROM users; --
This error gets returned:
Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'DELETE FROM users; --')' at line 1
What's wrong???
PS: Someone suggested me to do an SQL injection with this as variable value:
',(SELECT group_concat(table_name) FROM information_schema.tables INTO OUTFILE '/var/www/tables.txt'))-- -
But it didn't work either, and returned a syntax error.
回答1:
Your injection turns a single SQL statement (INSERT ...) into multiple SQL statements (INSERT ...; DELETE ...).
However, the PHP mysql API does not support multiple statements in a single query. (The underlying MySQL C API must be explicitly instructed to support this functionality, which your bindings do not do.)
回答2:
As @pilcrow points out, mysql_query will only accept a single statement. Your example is actually two statements:
INSERT INTO COMMENTS VALUES('122','value');
and:
DELETE FROM users;
The PHP mysql API will reject this immediately, so you can't use that to test SQL injection.
Another problem with the statement is the use of comment characters. The MySQL Comment Syntax states that:
From a “-- ” sequence to the end of the line. In MySQL, the “-- ” (double-dash) comment style requires the second dash to be followed by at least one whitespace or control character (such as a space, tab, newline, and so on). This syntax differs slightly from standard SQL comment syntax, as discussed in Section 1.8.5.5, “'--' as the Start of a Comment”.
So you have to have whitespace after the --. If you use # instead, no following whitespace is required.
A simpler and safer way to begin your SQL injection testing is to try a simple SELECT:
$value = "1' OR 1; -- ";
$sql = "SELECT * FROM mytable WHERE id = '$value'";
print "$sql\n";
// SELECT * FROM mytable WHERE id = '1' OR 1; #'
$result = mysql_query($sql,$con);
// Should return multiple rows (if your table has multiple rows):
while ($row = mysql_fetch_assoc($result)) {
print "{$row['id']}\n";
}
As the PHP mysql API rejects multiple statements, some of the more commonly used examples of SQL injection won't work, and that's a good thing. However, as you can see from the simple example above, it doesn't prevent other forms on SQL injection.
Think how a statement like this could be affected:
DELETE FROM mytable WHERE id = '1'
Also bear in mind that deleting data is probably not of much use to anyone other than a malicious hacker who just wants to cause disruption. Obtaining confidential data to which you are not supposed to have access, on the other hand, may be very useful.
来源:https://stackoverflow.com/questions/6784902/sql-injection-on-insert